Executive Summary

A Preliminary Privacy Impact Assessment (PPIA) was developed on the National Routing System’s (NRS) Pilot Initiative query functionality that will be used by Passport Canada (PPTC) to validate vital statistics information in relation to determining passport entitlement. The rationale for completing a PPIA is that the NRS was at an early stage of development. The design concept is being validated through the NRS Pilot Initiative. The PPIA addresses the NRS Pilot Initiative only.

This PPIA found minor privacy risks and offered options to mitigate them. Most of the risks identified were related to information management /information technology and the inherent risk associated with capturing, storing and transmitting personal information. The following summarizes the risks and the mitigation action proposed:

Privacy Risk Mitigation

Risks identified:

Unauthorized individuals are able to view personal information. To mitigate this risk, Passport Canada has in place necessary authentication safeguards that control access to the technical and physical infrastructure that will be used for the pilot.

Data that is being routed between partners has the risk of either being routed to an unauthorized entity or of being intercepted by unauthorized persons. To mitigate this risk, the data are encrypted at source using approved cryptographic methods and are not decrypted until they reside on the receiving organization’s secure internal network.

Unauthorized persons such as hackers gain access to a system that contains personal information. System security measures such as firewalls, network disconnection devices, virus detection and network monitoring software and restricted access to computing environment (physical protection of devices) are used to mitigate this risk,

The modification of personal information once it is entered into the database is a risk. To mitigate this risk, PPTC policy requirements for internal logging and access controls appear appropriate to deter internal modification

The PPIA Report did not identify any privacy risks that would warrant a PIA. A Threat and Risk Assessment will be carried out to complement the risk analysis carried out in the PPIA. Furthermore, if NRS design changes are contemplated, an analysis should be undertaken to determine whether or not a PIA is required.

Potential Privacy Risks:

This section summarizes various issues that have been identified during the course of this preliminary privacy risk assessment. The Birth Certificate Verification System will not interact directly with Passport applicants who submit information to PPTC. Furthermore, the Secure Channel’s Secure Message Routing System does not deal with “content” per se insofar as it is a “routing” application receiving requests from Passport, transmitting them to the pertinent provincial vital statistics organization and “routing” the information back to Passport for processing of the results. The applications facilitate the verification element associated with the current process used to determine an individual’s entitlement to a Canadian Passport. In this context, very few “direct” or new privacy issues exist.

Authentication

Risk Definition:

The issue of authentication usually arises in the context of wanting to know who is providing information or accessing a particular system in order to ensure that only authorized individuals see the personal information in question.

Risk Assessment:

In this instance, authentication requirements are limited to Passport personnel. Passport applicants do not access the birth certificate or the applications. Passport Canada has in place necessary authentication safeguards that control access to the technical and physical infrastructure that will be used for the pilot.

Inappropriate Interception of Data during Routing

Risk Definition:

Data that is being routed between partners has the risk of either being routed to an unauthorized entity or of being intercepted by unauthorized persons.

Risk Assessment:

This risk of this interception is very unlikely and would result in only one record being compromised as compared to an inappropriate access event. To mitigate this risk, the data are encrypted at source using approved cryptographic methods and are not decrypted until they reside on the receiving organization’s secure internal network. NRS Pilot Initiative would ensure that data are transmitted in a secure manner and according to standards agreed upon by the partners. The use of Secure Channel and its additional security features (e.g. encryption of message traffic) further mitigates this risk.

Inappropriate Access to System

Risk Definition:

There is always the very real risk that unauthorized persons such as hackers will gain access to a system that contains personal information.

Risk Assessment:

Addressing the subject of inappropriate access is best done by ensuring access to Personal Information by support or PPTC personnel is limited to a “need to know” basis. Only individuals who are permitted access to the pilot system (i.e. systems administrators and pilot staff) will have access to the Personal Information processed by the applications in question (birth certificate information). Access logs will be used to identify those who access the applications and may be used as a mechanism to monitor such access. The use of system security measures such as firewalls, network disconnection devices, virus detection and network monitoring software and restricted access to computing environment (physical protection of devices) will further mitigate this risk.

Accuracy of Personal Information

Risk Definition:

Modification of information in a privacy context will arise as a concern about identity theft or concerns about the accuracy of the information (and the corresponding need to correct if inaccurate and provide notice of correction). In submitting Passport application-related personal Information, modification of such information is only possible once it is entered into the database.

Risk Assessment:

PPTC policy requirements for internal logging and access controls appear appropriate to deter internal modification, or identify such modification should it occur after it is entered into the database. The information in question in this PPIA is birth certificate information that is taken as is and transmitted for verification as is. In this sense, the information is not modified. There is, however, the possibility of human error at the data entry stage. Internal adjudications by the Security Section of query response to confirm the validity of the query results of PPTC will reduce the risk of “false negatives.” Moreover, no administrative decision will be taken by PPTC until such reviews and, where required, investigations by the RCMP are concluded.

Consent

Risk Definition:

Passport applicants give their consent to have the information they provide verified and security queries conducted. This consent obviously encompasses the validation of vital event information (such as birth certificate information) and verifying the status of the registration (i.e. for flags such as death or loss/stolen status flags).

Risk Assessment:

In the context of passports, consent of applicants is explicit and implicit. This is seen on the Application Form where:

Applicants declare solemnly that all the statements made are true and appose their signature beside that declaration;

Applicants’ signature is apposed on each page of the Form;

Applicants and guarantors are warned against any false statement, misrepresentation or concealment of any material fact on the Application Form, or any document presented in support of the application, since these acts would constitute a criminal offence under the Criminal Code;

False statement, misrepresentation or concealment of any material fact also constitutes grounds for refusing to issue a passport;

There is a Notification indicating to applicants that “all information provided is subject to routine verifications and security queries”;

Applicants’ signature vouches for their solemn affirmation of the truthfulness of statements made I information provided in the application, and also their consent to have the information verified / validated and security queries conducted.

Applicants thus consent to have their vital event information validated and the privacy related risk is therefore nil.